########################################################################################## PAS-21: Correlate Encrypted Traffic against DNS to obtain hostname ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Mail - SSL/TLS - Data Correlation and Extraction Affected Versions: - 0.1 Targeted for fix in version: - 0.2 Time Estimate: 60 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== This, primarily will benefit TLS connections to mailservers (as most HTTPS clients use SNI). Currently, for a connection to a mail server, we might have the following in _webtraffic.csv_ -- BEGIN SNIPPET -- 1447859681.050708000 192.168.3.64 65.55.122.74 39540 993 "" "" ...snip... -- END SNIPPET -- We can see, at a glance, that it's probably IMAP over SSL, but still don't have much information on what mailserver is being connected to. We know the IP, so can go off and look it up, but that's potentially a lot of work for a big capture PAS-13 will be generating a DNS equivalent of webtraffic.csv, so once that information is available, it'd be helpful if we could look for queries (around the time of the connection above) which resulted in that address being returned. Assuming we find something, the FQDN column can be updated to show who the user probably thought they were connecting to. We should probably add an additional column to webtraffic.csv though, to indicate where the FQDN was obtained from: - Host Header - SNI - DNS traffic search Especially for mail traffic, the last if perhaps less accurate where a mailserver handles multiple domains. You could feasibly, perform a lookup for "mail.innocentdomain.com" and then tell your script to talk to that mailserver as if it was "mail.farlessinnocentdomain.com" ----------------------------------------------------------------------------------------- Issue Relations ================ - is blocked by PAS-13: Extract DNS Traffic - is blocked by PAS-20: Mail Handling ----------------------------------------------------------------------------------------- Activity ==========